Oracle's Sun.com Hit Along with MySQL.com in SQL Injection Attack

By Fahmida Y. Rashid |
Posted 2011-03-29

The same
hackers who exposed all the databases running on MySQL.com attacked Sun.com.

The Rumanian
hackers, "TinKode" and "Ne0h" compromised two Sun subdomains, including www.reman.sun.com and
www.ibb.sun.com, according to a blog post on March 27. Using a SQL
injection attack, TinKode was able to obtain table names, column names and email
addresses stored in one of the tables. It's not clear at this point whether
TinKode compromised any passwords on the Sun.com site or if this information is
being held back for some reason.

TinKode has
been busy in recent days going after MySQL databases. According to TinKode's Bay
Words blog, TinKode used the SQL injection attack on MySQL.com March
27 and on ESET's Rumanian page March 20.

The problem
was not with the open-source database software, but with the way the Website
was coded, Chester Wisniewski, a Sophos senior security advisor, wrote on the
Naked Security blog.

In the blind
SQL injection attack on MySQL.com, the same hackers managed to expose database
names, tables, columns, user accounts and passwords. Along with administrator
passwords for the databases, the hackers managed to expose WordPress blog
passwords that had been stored in the tables.

It's not clear
whether the same vulnerability existed on both sites. SQL injection
vulnerabilities allow remote attackers to compromise databases through the Website
by inserting malicious SQL code into input fields, such as Web forms. If the
application doesn't handle the code correctly, it is passed to the database,
which executes the command and returns the results to the browser for the
attacker to see.

"Auditing
your Websites for SQL injection is an essential practice, as well as using
secure passwords," Wisniewski wrote. "Either can lead you down a road
that ends in tears."

Both MySQL.com
and Sun.com have a number of unfixed cross-site-scripting vulnerabilities on
their sites, according to XSSed.com, where security researchers and hackers
submit found XSS flaws. Both domains had issues that were discovered as
recently as January. It is not clear if attackers combined the XSS flaws with
the SQL injection attacks.

Organizations
should regularly check their code to ensure there are no flaws, said Rafal Los, a security evangelist at HP. It's not
enough to just hide SQL errors from an attacker, since these hackers used a
blind SQL injection technique, where they wrote complicated code to expose
little bits of the data at a time and re-created the information, Los noted.

Organizations
are beginning to catch on about the importance of checking their Websites for
SQL injection vulnerabilities, Los told eWEEK. Things weren't "great, just
better," he said, noting that there were fewer incidents of SQL injection
attacks compromising critical Websites such as banking and e-commerce sites.
Most SQL injection attacks tend to be on older and less sensitive sites, he
said.

Oracle is not
likely to do any immediate fixing on Sun.com, as the company is moving away
from using that domain. Oracle is currently redirecting all sun.com URLs to
Oracle domains with "1:1 redirects where possible," according to a March 10
post by Richard Ramsey, on the Oracle Technology Network Garage blog.

The domain had
been redirecting to an Oracle site for some time, and most of the content that
was on BigAdmin, OpenSolaris.com and some sections of SDN has already been
migrated to the System Admin and Developer Community on the Oracle Technology
Network, according to Ramsey. The blogs at blogs.sun.com will continue to
function as is as Oracle builds out a similar blogging platform on oracle.com,
he said. There was no word on what will happen to other subdomains, such as
java.sun.com.

Oracle
acquired Sun Microsystems and its entire open-source portfolio, including Java
and MySQL, in April 2009. However, regulatory reviews delayed the close of the
$7.4 billion buy-out until January 2010. Oracle has yet to comment or
acknowledge the breach on either Sun.com or MySQL.com.